Add more System Menu stage0s and add stage0 helper script
* first try at a stage0 ldscript helper script Co-Authored-By: Leseratte10 <Leseratte10@users.noreply.github.com> * stage0-ldsgen: generalize code, for easily adding new patterns * stage0-ldsgen: use argparse, add rendering from a template * stage0-ldsgen: fix template name, add linkerscripts for all 4.3 titles Assumes payload_addr=0x80004000 is safe; tests pending * start a .gitignore * stage0-ldsgen: fix typo luckily this didn't break anything! * Set default payload address
|1 month ago|
|stage0||1 month ago|
|.gitignore||1 month ago|
|LICENSE.md||1 month ago|
|Makefile||1 month ago|
|README.md||1 month ago|
|bluebomb.c||1 month ago|
|stream_macros.h||1 month ago|
Bluebomb is an exploit for Broadcom’s Bluetooth stack used in the Nintendo Wii.
You will need a Linux computer to do this! Download the pre-built binaries from the releases page and follow these instructions.
./configure --enable-deprecated && make(If you are using Ubuntu, you might need to install some needed packages with
sudo apt install libglib2.0-dev libdbus-1-dev libudev-dev libical-dev libreadline-devbefore this works)
toolsdirectory and run
sudo systemctl disable --now bluetooth
infoIf you get an error about
Invalid indexthen Linux can’t find a Bluetooth device on your computer, if one real hardware make sure you have firmware for your bluetooth adapater, if in a VM make sure you have passed through the device. Assuming the above does not happen then you can continue.
infoYou should now look at the
inforesults and check the
current settingsline for the following:
powered connectable discoverable bondable br/edrIf you don’t have one of the above settings in your list, make sure you executed all the above commands. You can now
exitout of the managment prompt.
sudo ./hciconfig hci0 iac liac
sudo ./bluebomb ./stage0/MINI_SM_NTSC.bin stage1.binfor a NTSC Wii Mini’s System Menu. You can also specify which hci device to use with bluebomb by adding before the
sudo ./bluebomb 1 ./stage0/MINI_SM_NTSC.bin stage1.binto use HCI1.
stage1.binyou are using. The one from this repo will load
boot.elfoff the root of a FAT32 formatted usb drive and run it. You can use the HackMii Installer’s boot.elf from here to get the Homebrew Channel.
IMPORTANT: The steps above will have disabled the bluetooth service on your machine to run the exploit. To enable the bluetooth service again run
sudo systemctl enable --now bluetooth.
makein the main folder to generate
stage0folder to generate the app-specific payloads.
stage1.binis not yet user buildable, this repo will be updated with instructions on how to build it when it is done.
You will need to locate several addresses in memory from the app, dolphin is very helpful here.
Create a copy of one of the existing app lds files and name it something identifiying like
Open up the app in dolphin and choose Symbols->Generate Symbols From->Signature Database.
process_l2cap_cmd functions (use the Filter Symbols field)
Open up your app in some RE tool (ghidra works well).
sdp_init the first function call to
memset the first argument is the
sdp_cb address that you need.
Next go to
l2c_init and just like before the first function call is
memset and the first argument is
switch_address is slightly more complicated. Go to the
process_l2cap_cmd function and find the
switch statement. Right before the
mtspr CTR,rx ; btr instructions there will be a
lwzx rx, rx, rx instruction, if your RE tool knows the location of the switch addresses it might show it, if not you will have to track the registers and find the address list that this
lwzx instruction is pulling from. Once you find the list, go to the last address in it, it should be right before a string “L2CAP HOLD CONTINUE”, the address of this address in the list is what you want. Not the address of the code that the switch statement is jumping to. This address is your
Finally you need the
switch_break address, this is address of the call to
l2cu_reject_connection in case 2 of the switch statment from
process_l2cap_cmd. There are two calls to it in case 2, you may use either one, simply get the address of the
bl l2cu_reject_connection instruction and that is your
After placing all these values into the lds file you can also choose a
payload_addr. This field is where the
stage1.bin will be read into when the exploit runs, you WILL have to adjust this to a memory region that isn’t in use by your app when the exploit is running. If unsure you can try something like 512kb before the end of mem1 (0x81780000). Please note the addresse used in the System Menu lds files will not work for any other app, don’t try to copy this address.